December 27, 2013
Snapchat Security Flaw Discovered – And Ignored
Peter Suciu for redOrbit.com – Your Universe Online
Security researchers reported finding a new security flaw in the Snapchat social media program - an app that allows users to send pictures to each other that then disappear in 10 seconds. For this reason, users often send pictures that are risqué, and hence value the anonymity while placing a great deal of trust in Snapchat’s security.
“Snapchat has a feature where it will grab all the numbers from your address book, upload them to their server [which is pretty bad by itself] and suggests you friends,” a spokesman for Gibson Security told the Guardian Australia on Friday. “We discovered that if you were to go through and scan single phone number through this 'find friends' function you could essentially obtain the phone number of a Snapchat user.”
The security researchers added they had approached Snapchat four months ago with details about the vulnerability but said they received no response. As a result, the group published the full details of their findings on Christmas Day which, if accurate, outline exactly how the loophole can be exploited by potential hackers.
“As our final goodbye to Snapchat [we're moving onto other projects now], we decided to release everything we have,” the group added in its guide.
The anonymous researchers also have reaffirmed they did not publish their findings to provide a blueprint for hackers.
“Note that publishing exploits is a common tactic among security researchers if an app developer ignores them. It’s called ‘full disclosure’ and its got a ‘blackmail for the good of society’ flavor about it. The idea is to force companies to beef up their security by exposing the weaknesses to the world,” the group’s spokesperson told Business Insider. “It’s a little like a security guard finding an open window in an office building, telling the building owner to close and lock the window and, if ignored for a month or more, telling all interested thieves about the open window and what to steal inside.”
Gibson Security has also claimed at least part of this vulnerability could be fixed, including the bulk register exploit, with a handful of lines of codes, but Snapchat has so far opted not to do so.
All this news comes just weeks after the social media photo sharing app turned down an offer to be acquired by Facebook. The social network had made a reported $3 billion all-cash acquisition offer in November which the company’s founders turned down.
Earlier this month the company also filed a restraining order against Frank Reginald Brown, one of the company’s founders, who claimed he had come up with the idea for the company.
This exploit is not the first time Snapchat has faced allegations it couldn’t keep private videos truly private. Last December, it was found some users found ways to save or at least view videos after the deadline had passed.
A file browser, such as iFunBox, for the iPhone provided an open view into all the files saved on a device, which in essence defeated the expiration functionality of the service.